SAML authentication
The Security Assertion Markup Language (SAML) is a data format for authentication and authorization. One of the key benefits of SAML is that it enables single sign-on (SSO), and thereby minimizes the number of times a user has to log on to cloud applications and websites.
Three entities are involved in the authentication process:
- the user
- the identity provider (IdP)
- the service provider (SP)
The identity provider authenticates the user. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.
Identity provider initiated SSO
With identity provider initiated SSO, the user logs in directly to the identity provider, which performs the SSO authentication.
We recommend that you always set RelayState to https://<machine_name>/<vp_prefix>/hub, because if RelayState is empty, some identity providers will send a get request instead of a post request, which will cause a failure.
Service provider initiated SSO
With service provider initiated SSO, the user starts at the service provider site, but instead of logging in at the SP site, SSO authentication is initiated with the identity provider. In the authentication process, Qlik Sense plays the role of a service provider. When a user logs in to Qlik Sense, the login is transferred to the identity provider that handles the actual SSO authentication.
Metadata
The service provider (Qlik Sense) needs configuration information from an identity provider. This information is available as an IdP metadata file that users can download and deliver to the service provider for easy configuration. The IdP metadata is uploaded from the QMC.
Qlik Sense as a service provider is to provide the identity provider with SP metadata, which is downloaded from the QMC. The metadata includes the following information:
- Assertion consumer service (ACS) URL
- Entity ID
- Security certificate